BBC programme broke law with botnets, says lawyer

A BBC programme has broken the Computer Misuse Act by acquiring
and using software to control 22,000 computers, creating a botnet
capable of bringing down websites. A technology law specialist has
said that the activity is illegal.12 Mar 2009

Click used the software to demonstrate how easy it is to gain control of the tools used to hold website owners to ransom. It used software acquired through internet chatrooms. The software controlled 22,000 computers which it had infected.

"Click ordered its PCs to send out spam to two specific test e-mail addresses set up by the programme," said a BBC description of the programme's activity. "Within hours, the inboxes started to fill up with thousands of junk messages."

Some online gangs use botnets to launch distributed denial of service (DDoS) attacks which bombard a website with traffic until it becomes blocked. Some threaten website operators with DDoS attacks in bids to extract pay offs.

"By prior agreement, Click launched a Distributed Denial of Service (DDoS) attack on a backup site owned by security company Prevx. Click then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible. Amazingly, it took only 60 machines to overload the site's bandwidth," said the BBC's report of the programme's activity.

The programme has said that the activity would only be illegal if those behind it had 'criminal intent', but Struan Roberrtson, a technology lawyer with Pinsent Masons and editor of OUT-LAW.COM, said that this is not true.

"The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam. It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer," he said.

"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an email is likely to satisfy that requirement. It also requires that the access is unauthorised – which the BBC appears to acknowledge. It does not matter that the BBC's intent was not criminal or that someone else created the botnet in the first place," said Robertson.

The BBC has destroyed its botnet and does not control machines any longer. It said it has contacted the 22,000 computer owners to warn them of their machines' vulnerabilities and advise them on how to secure the computers.

Though the activity is likely to have been technically illegal, Robertson said that it is unlikely that the corporation will be punished for it.

"The maximum penalty for this offence is two years' imprisonment. But it is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security," he said.

A blog posting from security firm Sophos suggests that the BBC has committed an offence of making unauthorised modifications to a computer. Robertson said that that is unlikely.

"The offence of unauthorised modification requires a recklessness or an intent that I don't think the BBC has displayed," he said.

Section three of the Computer Misuse Act describes the need for an intent to impair the operation of a computer or to hinder access to data. Such intent is not required for the section one offence of unauthorised access, said Robertson.

The BBC did not respond to OUT-LAW's request for comment. However, a message on the programme's Twitter account suggests that the team did consult lawyers. "We would not put out a show like this one without having taken legal advice," it said.